On Fri, Sep 9, 2016 at 3:39 PM, Emmanuel Bourg wrote: > "For packages in the main archive, no build step may attempt network > access in a way that: > - leaks sensitive data > - changes the build result or the operations performed to produce it" > > (with the build result defined as the binary packages produced)
I think what we actually want is for the build to be completely self-contained, whether or not the person running the build is using technical mechanisms to enforce that. So something like this: Nothing inside the build environment (defined as dpkg-buildpackage or debian/rules and all sub-processes along with the files installed from build-essential and Build-Depends) may contact any processes, network resources nor use any files outside the build environment (modulo /dev/null and the like). -- bye, pabs https://wiki.debian.org/PaulWise